Over the last decade, the various financial crises have pushed companies in every industry to improve efficiency and cut costs wherever they can. The recent ability to attach just about anything to the global Internet has enticed some critical infrastructure companies to interconnect their Supervisory Control and Data Acquisition (SCADA) systems, Industrial Control Systems (ICS) and general corporate intranets together to achieve easier device access and reduced communications cost. This has degraded their security posture by exposing the SCADA and ICS systems to attacks from the global Internet and all the vulnerabilities in Windows and Linux workstations on the general corporate network.
These weaknesses were brought to light in a recent survey of 599 security executives at utility, oil and gas, energy and manufacturing companies. The survey, sponsored by Unisys and conducted by the Ponemon Institute, found that 78 percent of respondents believe that a successful attack on their SCADA/ICS systems is at least somewhat likely within the next 24 months. At the same time, just 21 percent of respondents thought that the risk level to ICS and SCADA has substantially decreased because of regulations and industry-based security standards.
There are several things these organizations can do to improve the situation without giving up all the cost savings. One is using modern encryption technology to place related systems and components in communities of interest where their communications are protected by a common encryption key. This effectively re-implements the old physical separation while preserving common connectivity.
Another is to take advantage of improvements in authentication technology to implement standards-based dual factor authentication using Security Assertion Markup Language (SAML). This prevents the exploit of stolen usernames and passwords.
A third control is to make sure that any devices exposed directly on the Internet have some sort of traffic screening technology (usually a firewall) in front of them that only allows certain types of traffic and maintains a log of access.
For more detail on the survey results, access the Critical Infrastructure: Security Preparedness and Maturity full report.